See? Firewall rules are fine.
On Fri, 2013-07-12 at 11:04 +0200, Erik K. wrote:
Hi Michael, here are the ovpn chains
Chain OVPNFORWARD (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere
Chain OVPNINPUT (1 references) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:5329
Chain OVPN_BLUE_FORWARD (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere
Chain OVPN_BLUE_INPUT (1 references) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell ACCEPT all -- anywhere anywhere
and the rest of iptables -L
Chain INPUT (policy DROP) target prot opt source destination BADTCP all -- anywhere anywhere CUSTOMINPUT all -- anywhere anywhere GUARDIAN all -- anywhere anywhere IPTVINPUT all -- anywhere anywhere GUIINPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED IPSECINPUT all -- anywhere anywhere OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL INPUT */ ACCEPT all -- anywhere anywhere state NEW DROP all -- 127.0.0.0/8 anywhere state NEW DROP all -- anywhere 127.0.0.0/8 state NEW ACCEPT !icmp -- anywhere anywhere state NEW DHCPBLUEINPUT all -- anywhere anywhere OVPNINPUT all -- anywhere anywhere OVPN_BLUE_INPUT all -- anywhere anywhere OPENSSLPHYSICAL all -- anywhere anywhere WIRELESSINPUT all -- anywhere anywhere state NEW REDINPUT all -- anywhere anywhere XTACCESS all -- anywhere anywhere state NEW LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_INPUT " DROP all -- anywhere anywhere /* DROP_INPUT */
Chain FORWARD (policy DROP) target prot opt source destination BADTCP all -- anywhere anywhere TCPMSS tcp -- anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU GUARDIAN all -- anywhere anywhere CUSTOMFORWARD all -- anywhere anywhere IPTVFORWARD all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED IPSECFORWARD all -- anywhere anywhere OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL FORWARD */ OUTGOINGFWMAC all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW DROP all -- 127.0.0.0/8 anywhere state NEW OVPNFORWARD all -- anywhere anywhere OVPN_BLUE_FORWARD all -- anywhere anywhere DROP all -- anywhere 127.0.0.0/8 state NEW ACCEPT all -- anywhere anywhere state NEW ACCEPT all -- anywhere anywhere state NEW WIRELESSFORWARD all -- anywhere anywhere state NEW REDFORWARD all -- anywhere anywhere DMZHOLES all -- anywhere anywhere state NEW PORTFWACCESS all -- anywhere anywhere state NEW UPNPFW all -- anywhere anywhere state NEW LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_OUTPUT " DROP all -- anywhere anywhere /* DROP_OUTPUT */
Chain OUTPUT (policy ACCEPT) target prot opt source destination CUSTOMOUTPUT all -- anywhere anywhere OUTGOINGFW all -- anywhere anywhere IPSECOUTPUT all -- anywhere anywhere
Chain BADTCP (2 references) target prot opt source destination RETURN all -- anywhere anywhere PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN PSCAN tcp -- anywhere anywhere tcpflags: SYN,RST/SYN,RST PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN/FIN,SYN NEWNOTSYN tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW
Chain CUSTOMFORWARD (1 references) target prot opt source destination ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn
Chain CUSTOMINPUT (1 references) target prot opt source destination ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp ACCEPT tcp -- 192.168.110.3 ipfire-bbach.local tcp dpt:snpp ACCEPT tcp -- 10.1.2.2 ipfire-bbach.local tcp dpt:snpp ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp REJECT tcp -- anywhere ipfire-bbach.local tcp dpt:snpp reject-with icmp-port-unreachable ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn DROP all -- anywhere 192.168.220.255 DROP all -- anywhere all-systems.mcast.net DROP all -- anywhere 192.168.2.255
Chain CUSTOMOUTPUT (1 references) target prot opt source destination
Chain DHCPBLUEINPUT (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
Chain DMZHOLES (2 references) target prot opt source destination
Chain GUARDIAN (2 references) target prot opt source destination
Chain GUIINPUT (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain IPSECFORWARD (1 references) target prot opt source destination
Chain IPSECINPUT (1 references) target prot opt source destination
Chain IPSECOUTPUT (1 references) target prot opt source destination
Chain IPTVFORWARD (1 references) target prot opt source destination
Chain IPTVINPUT (1 references) target prot opt source destination
Chain LOG_DROP (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning DROP all -- anywhere anywhere
Chain LOG_REJECT (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain NEWNOTSYN (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_NEWNOTSYN " DROP all -- anywhere anywhere /* DROP_NEWNOTSYN */
Chain OPENSSLPHYSICAL (1 references) target prot opt source destination
Chain OPENSSLVIRTUAL (2 references) target prot opt source destination
Chain OUTGOINGFW (1 references) target prot opt source destination
Chain OUTGOINGFWMAC (1 references) target prot opt source destination
Chain PORTFWACCESS (1 references) target prot opt source destination
Chain PSCAN (5 references) target prot opt source destination LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_TCP PScan */ LOG level warning prefix "DROP_TCP Scan " LOG udp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_UDP PScan */ LOG level warning prefix "DROP_UDP Scan " LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_ICMP PScan */ LOG level warning prefix "DROP_ICMP Scan " LOG all -f anywhere anywhere limit: avg 10/min burst 5 /* DROP_FRAG PScan */ LOG level warning prefix "DROP_FRAG Scan " DROP all -- anywhere anywhere /* DROP_PScan */
Chain REDFORWARD (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere
Chain REDINPUT (1 references) target prot opt source destination
Chain UPNPFW (1 references) target prot opt source destination
Chain WIRELESSFORWARD (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B DMZHOLES all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessforward" DROP all -- anywhere anywhere /* DROP_Wirelessforward */
Chain WIRELESSINPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessinput" DROP all -- anywhere anywhere /* DROP_Wirelessinput */
Chain XTACCESS (1 references) target prot opt source destination ACCEPT tcp -- anywhere 192.168.2.2 tcp dpt:ident
Erik
Am 12.07.2013 um 00:06 schrieb Michael Tremer:
Could you provide the iptables ruleset that is loaded?
This should not be caused by the latest NAT changes in core update 70. But that's just a wild guess.
-Michael
On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote:
Hi all, have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection.
The infrastructure:
IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (local) IPFire
So both sides with double NAT. The log messages gives me the following back
Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329 Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329 Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4) have never seen this message (in the middle) before...
So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated.
Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809' Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329 Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 .
May some one have an idea what´s causing this problem ?
Greetings
Erik
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development